emotet | d72366e3e0c8f717c97001d8ba5eff5b6e07d8536e13eaa9ab1927fce4c97f26

Analysis

max time kernel
133s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe
Size

492KB
MD5

dc73a0184b43be81da178e478ba9fca5
SHA1

ff7e92e306ffe9f13070b1aabbe4d57abc93ed6d
SHA256

d72366e3e0c8f717c97001d8ba5eff5b6e07d8536e13eaa9ab1927fce4c97f26
SHA512

9cdbb3f843aa66b193705729fc6645d131605e133615609393d9d926b25a8c7ff51a5e915e39f8583489faac80a44fd4b7074633841ceedccb118ae534db6f2b
SSDEEP

12288:Qagi9CKepyNMu8u9cXw3pPeWCehtlw/5U:Fgi9tTNj8uww3cTTU

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

104.32.141.43:80

112.68.240.21:80

104.236.28.47:8080

46.105.131.87:80

45.55.65.123:8080

120.150.246.241:80

60.231.217.199:8080

74.58.165.170:80

163.139.237.65:80

24.164.79.147:8080

78.24.219.147:8080

178.153.176.124:80

162.241.92.219:8080

92.222.216.44:8080

174.83.116.77:80

108.191.2.72:80

5.196.74.210:8080

47.156.70.145:80

70.127.155.33:80

78.189.180.107:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WinTypes.exe

pid	process
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe
1896	WinTypes.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe

pid process

4500 2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exeWinTypes.exe

pid	process
4500	2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe
4500	2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe
1896	WinTypes.exe
1896	WinTypes.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe

description	pid	process	target process
PID 4500 wrote to memory of 1896	4500	2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe	WinTypes.exe
PID 4500 wrote to memory of 1896	4500	2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe	WinTypes.exe
PID 4500 wrote to memory of 1896	4500	2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe	WinTypes.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\WinTypes\WinTypes.exe
"C:\Windows\SysWOW64\WinTypes\WinTypes.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-4-0x0000000003E90000-0x0000000003E9C000-memory.dmp

Filesize
48KB

Download
memory/4500-1-0x00000000040D0000-0x00000000040DA000-memory.dmp

Filesize
40KB

Download
memory/4500-0-0x00000000040E0000-0x00000000040EC000-memory.dmp

Filesize
48KB

Download